openbsd+adsl+pf+qdns 配置过程

偶在翻阅了大量网上文档(具体记不清在那里了)后，实验整理了一下OPENBSD环境中ADSL、PF、QDNS的配置过程。希望对OPENBSD的初学者有些帮助。下面我用的是OPENBSD 3.6

配置ADSL：
# vi /etc/ppp/ppp.conf
========================ppp.conf=======================
default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000

pppoe:
set device "!/usr/sbin/pppoe -i rl0"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set crtscts off
set speed sync
enable lqr
#set lqrperiod 5
#set cd 5
set dial
set login
#set timeout 0
set authname "sjz681a0156@adsl2"
set authkey 123456
add! default HISADDR
#enable dns
enable mssfixup
========================ppp.conf=======================

建立防火墙配置：
# vi /etc/pf.conf
=========================pf.conf=======================
# 设置一些变量
Ext = "tun0"
Int = "dc0"
IntNet = "192.168.0.0/24"
RouterIP = "192.168.0.1"
Loop = "lo0"

# 下面地址不被路由
NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"

# 需要开放的端口
InServicesTCP = "{ ssh, ftp, auth，http }"

# 统计数据外网接口数据（pfctl -s info）
set loginterface $Ext

# 快速断开非活动状态的连接减少内存消耗
set optimization aggressive

# 重组IP碎片
scrub in on $Ext all fragment reassemble

# 启用NAT
nat on $Ext from $IntNet to any -> $Ext

### 下面是一些过滤规则 ###
# 首先挡住所有进出的数据包
block out on $Ext all
block in on $Ext all

block return-rst out log on $Ext proto tcp all
block return-rst in log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in log on $Ext proto udp all

# 禁用IPv6.0
block in quick inet6 all
block out quick inet6 all

# 允许本地环回通过
pass in quick on $Loop all
pass out quick on $Loop all

# 给nmap等扫描器来点难度
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext os NMAP

# 防止IP欺骗
block in log quick on $Ext inet from $NoRoute to any
block in log quick on $Ext inet from any to $NoRoute

# 允许 FTP 主动模式
pass in quick on $Ext inet proto tcp from any to any port > 49151 user proxy flags S/SAFR keep state

# 允许被ping
#pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state

# 对外界开放的端口
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP flags S/SAFR keep state

# 允许通过由内向外的包
pass out quick on $Ext all keep state
=========================pf.conf=======================

启用IP转发：
# vi /etc/sysctl.conf
net.inet.ip.forwarding=1

设置开机启动ADSL拨号：
# vi /etc/rc.local
/usr/sbin/ppp -ddial pppoe

启用NAME服务器：
# vi /etc/resolv.conf
nameserver 202.99.160.68
nameserver 202.99.168.8

根据拨号需要加载和关闭防火墙：
# vi /etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"

# vi /etc/ppp/ppp.linkdown
MYADDR:
! sh -c "/sbin/pfctl -d -F all"
! sh -c "kill `cat /var/run/pflogd.pid`"
! sh -c "/sbin/ifconfig pflog0 down"
! sh -c "/sbin/route delete default"

配置动态域名更新：

# tar zxvf ez-ipupdate-3.0.10.tgz
# cd ez-ipupdate-3.0.10
# ./configure
# make
# make install

设置拨号后自动运行IP更新程序：

# vi /etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
!bg /usr/local/bin/ez-ipupdate -i tun0 -h nero.3322.org -S qdns -u yourname:yourpw

完成上面的配置后reboot机器就可以了。


首页 > 网络安全 > 系统 > 正文